Signature for packets with TCP flag RST set + any other flags

Hi there

I was wondering if someone could help me define a signature to alert when a packet is discovered which contains a RST flag along with any of the other flags set, i.e a packet with RST and URG / RST and SYN etc.

alert tcp any any → any any (msg:“RST + Other Flags TEST”; flags:R*UAPRSF; sid:153235;)

This is what i’m trying after reading the flag docs.

doc says: * match if any of the bits are set. From my understanding that means if R and any flag defined after the " * " is set, it will trigger, but it does not.

Thank you in advance

Looking at the code, I think flags:R*; should do what you want. I should return true if RST flag is set, regardless of any other flags that may be set.

Hi Victor, thank you for your reply.

What I wanted is to not trigger the alert when ONLY a RST flag is set. I want to trigger the alert if the RST flag and at least 1 other flag is set.

That’s my issue im trying to figure out.

I don’t think you can express this in a single flags statement. However, and I haven’t tried this, you could try doing something like:
flags:R*; flags:UAPSF12*;
The first condition should match if R is set alone or with others. The 2nd condition should match if any or all of the other flags are set.

Thank you Victor, i’ll give it a go. I appreciate your time

If that doesn’t work you could look for 0x04 (hex for just the RST), 13 bytes offset using TCP HDR;